Technology | Passion | Evangelism

Windows Server 2012: Getting started with PowerShell Web Access

I have been using Windows Server 2012 for quite some time & 1 of the best features in Management & Automation using PowerShell Web Access.

So What is PowerShell Web Access??

Windows PowerShell® Web Access is a new feature in Windows Server® 2012 that acts as a Windows PowerShell gateway, providing a web-based Windows PowerShell console that is targeted at a remote computer. It enables IT Pros to run Windows PowerShell commands and scripts from a Windows PowerShell console in a web browser, with no Windows PowerShell, remote management software, or browser plug-in installation necessary on the client device. All that is required to run the web-based Windows PowerShell console is a properly-configured Windows PowerShell Web Access gateway, and a client device browser that supports JavaScript® and accepts cookies.

Examples of client devices include laptops, non-work personal computers, borrowed computers, tablet computers, web kiosks, computers that are not running a Windows-based operating system, and cell phone browsers. IT Pros can perform critical management tasks on remote Windows-based servers from devices that have access to an Internet connection and a web browser.

After successful gateway setup and configuration, users can access a Windows PowerShell console by using a web browser. When users open the secured Windows PowerShell Web Access website, they can run a web-based Windows PowerShell console after successful authentication.

Ideally, this is how the overall architecture would look like in production environment.

Step 1: Login to the Domain Controller machine DPE-WS12-VM01 to install PowerShell Web Access using Server Manager. WE WILL PERFORM THE STEPS USING SERVER MANAGER.Note: You can perform this Step 1 using PowerShell as well. Refer http://technet.microsoft.com/en-us/library/hh831611.aspx

Open Server Manager & click on Add roles & features

Click Next on wizard. On the next screen select Role-based or feature-based installation & click Next.

Select the server in the list & click Next.

Click Next on the Server Roles page. On the Features page scroll down, expand Windows PowerShell & select Windows PowerShell Web Access. Upon clicking a new pop-up will appear; click on Add Features. Lastly click Next.

Click Next on Web Server Role (IIS) screen & also click Next on Role Services screen.

Lastly click on Install.

Once completed you will see the following screen. Click on Close to complete.

In Step 1, we have installed the features Windows PowerShell Web Access & server role Web Server Role (IIS).

Step 2: Now that we have installed the feature Windows PowerShell Web Access, we will now need to configure PowerShell Web Access Gateway so that my Application Pool should be available in my IIS Manager under Default Website. WE WILL PERFORM THE FOLLOWING USING POWERSHELL.

When you install the feature Windows PowerShell Web Access, the Application Folder is located in C:WindowsWebPowerShellWebAccesswwwroot

Configure PowerShell Web Access Gateway using the following PowerShell Cmdlet.

Do one of the following to open a Windows PowerShell session.

On the Windows desktop, right-click Windows PowerShell on the taskbar.

On the Windows Start screen, click Windows PowerShell.

Type the following, and then press Enter.

Install-PswaWebApplication –UseTestCertificate

The following settings are configured by running the cmdlet. You can change these manually in the IIS Manager console, if desired.

Path: /pswa

ApplicationPool: pswa_pool

EnabledProtocols: http

PhysicalPath: %windir%/Web/PowerShellWebAccess/wwwroot

At this stage you can see the PowerShell Web Access Application Pool configured in IIS Manager & also verify the same using the Web Browser. IMP Note: You cannot sign in until users have been granted access to the website by adding authorization rules.

Step 2B: You can also verify the same from Web Browser. Go to CLIENT machine i.e. DPE-WIN8-CLI01. Open Internet Explorer & open https://DPE-WS12-VM01/pswa As we are using Test Certificate you will see the warning. Click on Continue.

Note: In production environment you must configure security using valid SSL certificate signed from the certificate provider.

Step 2C: Once you click on Continue you will the following Windows PowerShell Web Access login page.

Every Windows PowerShell session uses a session configuration; if one is not specified for a session, Windows PowerShell uses the default, built-in Windows PowerShell session configuration, called Microsoft.PowerShell. The default session configuration includes all cmdlets that are available on a computer. Administrators can restrict access to all computers by defining a session configuration with a restricted runspace (a limited range of cmdlets and tasks that their end users could perform). A user who is granted access to one computer with either full language access or only the Windows PowerShell remote management cmdlets can connect to other computers that are connected to the first computer. Defining a restricted runspace can prevent users from accessing other computers from their allowed Windows PowerShell runspace, and improves the security of your Windows PowerShell Web Access environment. The session configuration can be distributed (by using Group Policy) to all computers that administrators want to make accessible through Windows PowerShell Web Access. For more information about session configurations, see about_Session_Configurations. The following are some examples of this scenario.

In this example, An administrator has set up a private test environment, and wants to allow all authorized network users access to all computers on the network to which they typically have access, with access to all session configurations to which they typically have access. Because this is a private test environment, the administrator creates an authorization rule that is not secure. The administrator runs the cmdlet Add-PswaAuthorizationRule * * *, which uses the wildcard character * to represent all users, all computers, and all configurations.

This rule is the equivalent of the following: Add-PswaAuthorizationRule –UserName * -ComputerName * -ConfigurationName *

We will perform the above step in PowerShell on Domain Controller DPE-WS12-VM01

With the above PowerShell we have allowed all authorized network users access to all computers on the network with access to all session configuration to which they typically have access.

Hi, I am getting this error:
"The Windows PowerShell Web Access gateway cannot establish a connection to the destination computer. Contact the gateway administrator."
I am not using a AD controller, am using WORKGROUP with a self signed certificate